New occasional 2SV checks with verified email

Hello developers,

This week, we released a change that helps protect your account from malicious actors. Users with verified emails will, at times, be required to pass two step verification with that verified email even if they have not explicitly enabled 2SV.

We strongly encourage you to add an email address to your account, complete verification, and enable two step verification if you have not already done so.

Thank you,
Roblox

326 Likes

This topic was automatically opened after 15 minutes.

I like how Roblox is toughening their system- more mandatory checks. Thing is… when?

What does this mean? What is considered “at times?”

I presume you’re referring to signing into your account. If so, what is the criteria when Roblox deems it necessary?

Randomly? Using an advanced AI? In correlation with other automatic security red flags? Manual? Scheduled bi-weekly? It isn’t clear.

Secondly, I find this misleading and giving a false sense of security:


image


As we all know, all it takes is a bad link to bypass 2SV.

74 Likes

Will we just get these periodically while logged in? It would seem pretty annoying for this to happen too frequently.

Will we be able to set how many times we get these?

And say the really low probability of someone guessing your password logs in occurs, and you don’t have 2SV enabled, will they also be prompted with this while we are?
Many questions!

Nonetheless, I appreciate the efforts to improve security.

27 Likes

This is a great change and it is amazing that Roblox is finally taking action on security! Will Roblox aim to move to add more types of security (Google Auth, Titan Key) or anything like that? (Link below for reference.)
https://devforum.roblox.com/t/development-security-discussion/896443
Thanks, Roblox for finally taking action on security!

22 Likes

I’m excited that Roblox is adding this feature, as account security is quite important, 2SV is best if it’s semi mandatory. I hope that this will prevent the most common breaches of accounts, and make the platform more secure for developers and players that are unaware that they shouldn’t be sharing their password with others. I think this is a good idea for all, just an overall security improvement and having it semi mandatory is a good idea for those who may be unaware of breaching and accounts security’s importance.

5 Likes

So are you guys going to check for suspicious activity on an account or what? This is unclear to me.

11 Likes

They appear to be working on authenticator based 2FA (TOTP) as seen in the api documentation here.
But it isn’t enabled for everyone to use. So I’d suspect sometime next year they will enable it.

18 Likes

Why can’t we have 2FA on certain actions such as trades, group fund distributions, purchasing? These have been recommended several times and seems like a good solution for users losing their assets after having their account compromised.


41 Likes

Every day that passes without a rollout of proper 2FA beyond email verification is another day that users with valuable items are at risk of getting everything taken from them and having to go through support to roll it back (if they get a response).

This update is a step in the right direction, but I really wished that Roblox took account security more seriously.

14 Likes

Yeah, hopefully more security measures are added. As Roblox grows, assets become more valuable and therefore users deserve to have the right to fully protect their accounts to the best of their abilities.

7 Likes

I really hope that this is toggle-able, to me personally this sounds unwanted and inconvenient. I don’t want to go to work on one of my games and be inconvenienced by having to pass 2SV again, the initial login 2SV should be enough in my opinion.

8 Likes

You think you could do something like what Discord does with QR code scanning for 2 step verification?
It might be easier, since Roblox’s key demographic are children.
(Unless it’s too insecure)

6 Likes

Thank god. I personally use an authenticator and it would be a lot easier for me to access. Also, nobody can really get into an authenticator unless it’s a cloud based authenticator, so this would be a big up on authentication.

2 Likes

I disagree, this security change is a step in the right direction as @NINJAMASTR999 stated above and this would stop the stealing of Roblox accounts, which is great.
Sometimes users don’t know how to secure their accounts correctly and having this would save thousands of accounts.

4 Likes

At least this helps somewhat.

My account was breached in the past even with 2SV + Account PIN though. Someone somehow bypassed both without sending me any email or indication of a sign in, and changed my settings despite there being an Account PIN enabled.

8 Likes

It’s nice to know that roblox is aware about the security problems and is trying to fix them. But it would be nice if instead of gmail 2FA if it used Google Auth instead.

4 Likes

QR code already has issues on Discord with people scanning QR codes that other people send with malicious intent. That’s probably not a good idea.

5 Likes

What confuses me is the ‘Trust this device for 30 days’ option.

If we get these ‘at times’ 30 days before the last time we entered a code, there really isn’t any point in that right? However, this is a good start.

I hope Roblox will continue to make more efforts in improving account security.

5 Likes

Don’t mind me, just waiting here until I see more movement from Roblox’s end beyond adding the endpoint nearly 3 months ago…

6 Likes